Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Application Security: We Still Have A Long Way To Go
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
irakov
50%
50%
irakov,
User Rank: Apprentice
11/21/2013 | 2:09:07 PM
App security tools ?
Jeff,


The companies still do not allocate enough time for app level security review and testing. HealthCare.gov is one recent example. It would useful if you could write a high-level review of the app security tools that allow projects to address app security issues.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/21/2013 | 4:23:01 PM
Re: App security tools ?
@irakov raises two great points about 1. companies not giving developers the time they need for security review and testing and 2. guidance about the best tools available to perform those test.  For example,  what are the steps you recommend to make headway against SQL Injection?
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
11/21/2013 | 5:39:47 PM
Re: App security tools ?
Not providing developers with ample time has always been a problem, at least in my experiences. The reason is usually because developers have to deal with deadlines and demands that management doesn't always know impacts the software development lifecycle. Doesn't anyone else here agree with that assessment?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/22/2013 | 8:08:55 AM
Re: App security tools ? & deadlines and security priorities
I've heard that complaint from developers many times, danielcawrey. What do you think management should know about the software development process that would lead to better application security? 
marktroester
50%
50%
marktroester,
User Rank: Apprentice
11/22/2013 | 2:33:02 PM
OWASP A9 & Components
Thanks for article Jeff, and your presentations at AppSecUSA! It's great to see that OWASP has recognized the prevalence of components in today's applications. Sonatype has done research that indicates that the average application consists of 80% or more open source components. While using components like web frameworks, logging utilities, database access routines, etc., speed development, if organizations don't manage the use of components, they can put the organization at risk.

We published a whitepaper that addresses the A9 requirement and application components -

http://www.sonatype.com/resources/whitepapers

There is also a PCI related whitepaper as well.

Thanks, 

Mark Troester

Sonatype

@mtroester

 
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
11/24/2013 | 4:54:35 PM
Re: OWASP A9 & Components
Time is not given for appropriate security testing because security still doesn't rate high enough in enough people's minds.  That has to change.
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
11/26/2013 | 1:01:52 PM
applications security
Beyond encryption, new technologies/processes (keyless authentication) for secure applications are being developed. I believe that that will be the future of data integrity.
SachinEE
100%
0%
SachinEE,
User Rank: Apprentice
11/27/2013 | 1:09:24 AM
Re : Application Security: We Still Have A Long Way To Go
@ danielcawrey, I strongly agree with you on this. It is a problem developers have always been complaining about that they are not given sufficient time to do their job thoroughly and their own way. When you are tightly running against time, you are sure to miss out on some minor things which in case of application development don't prove to be that minor vulnerabilities.
SachinEE
50%
50%
SachinEE,
User Rank: Apprentice
11/27/2013 | 1:09:29 AM
Re : Application Security: We Still Have A Long Way To Go
This is quite understandable that when developers have to leverage their app with other sources like libraries which are not under their control they are dealing with danger. What could possibly be done about it? Should they be selective about giving access to libraries considering potential vulnerabilities which come with them? Or they can actually do something about those vulnerabilities?
planetlevel
50%
50%
planetlevel,
User Rank: Author
12/9/2013 | 11:54:07 AM
Re: App security tools ?
Hi irakov,

You're right that developers are often put into the very difficult position of being blamed for security problems without the proper process/tools/time/etc... to actually make that happen.  I gave a talk recently "Application Security at DevOps Speed and Portfolio Scale" that presents a new approach to this dilemma.  I'll be writing more about this, but I'd love to hear your thoughts.  youtube.com/watch?v=cIvOth0fxmI

--Jeff
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14190
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4.
CVE-2020-29074
PUBLISHED: 2020-11-25
scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user.
CVE-2020-14191
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4.
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...